2018-09-04 - QUICK POST: HANCITOR MALSPAM USES PDF ATTACHMENT

ASSOCIATED FILES:

• 2018-09-04-Hancitor-malspam-example.eml.zip   125 kB (125,192 bytes)
• 2018-09-04-Hancitor-malspam-infection-traffic.pcap.zip   2.4 MB (2,378,935 bytes)
• 2018-09-04-malware-from-Hancitor-malspam-infection.zip   433 kB (433,440 bytes)

NOTES:

• Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.
• Hancitor malspam was using PDF attachments today, instead of links in the message text to download the malicious Word doc.
• Instead, the PDF attachments had a link to the Word doc.
• Time to update the flow chart....

Shown above:  Chain of events for today's Hancitor malspam infection.

 

IMAGES

Shown above:  Screenshot of an email from today's wave of Hancitor malspam.

 

Shown above:  PDF attachment from the malspam.

 

Shown above:  After downloading the Word doc, enable macros to infect a vulnerable Windows host.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.